Hi
I thought I would install and run the plug-in Wordpress Exploit Scanner (http://ocaoimh.ie/exploit-scanner/)
It throws a lot of errors from the s2Member plug-in with respect to use of the eval function.
Put my mind at rest?
exploit errors reported
s2Member Plugin. A Membership plugin for WordPress®.
3 posts
• Page 1 of 1
exploit errors reported
by togethernet » November 2nd, 2011, 1:53 pm
-
togethernet - Registered User
- Posts: 1
- Joined: November 2, 2011
Re: exploit errors reported
by Cristián Lávaque » November 2nd, 2011, 11:33 pm
eval has its valid uses. The WordPress team reviews plugins posted there and wouldn't have let s2Member remain there if it were a threat. 
I'm emailing Jason in case he wants to comment on this.
I'm emailing Jason in case he wants to comment on this.
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it
at WordPress.org. Thanks! :)
Is s2Member working for you? Please rate it
-
Cristián Lávaque - Developer
- Posts: 6836
- Joined: December 22, 2010
Re: exploit errors reported
by Jason Caldwell » November 3rd, 2011, 2:54 pm
Thanks for the heads up on this thread.
s2Member's use of the eval() function allows site owners, and ONLY site owners to incorporate PHP code of their own into some of s2Member's configuration panels. For instance, see: s2Member -> General Options -> Login/Registration Design -> Footer HTML/PHP Code.
So, while the use of eval() CAN certainly introduce security issues, s2Member's use of eval() is limited to only those areas which process code introduced by the site owner, or by s2Member itself. s2Member will NOT eval() untrusted data ( i.e. data introduced by a user/browser/cookie/query string/etc ). I'm not aware of s2Member having any security issues in this regard, with respect to the eval() function.
On a Multisite Blog Farm installation, the use of eval() can be disabled completely, since you would have site owners with child Blogs on your Network. In cases such as those, the additional documentation that comes with a Multisite Network Support Package allows Network adminstrators to disable the use of eval() in areas of s2Member that allow site owners to introduce PHP code of their own.
That being said, I do NOT recommend disabling eval() in s2Member on a standard WordPress installation, or even on a typical Multisite Network installation. The only time that would be practical, is if you were running a "Blog Farm", where you would have untrusted site owners.
I can appreciate your concern. Yes, eval() does have valid uses.togethernet wrote:Hi
I thought I would install and run the plug-in Wordpress Exploit Scanner (http://ocaoimh.ie/exploit-scanner/)
It throws a lot of errors from the s2Member plug-in with respect to use of the eval function.
Put my mind at rest?
s2Member's use of the eval() function allows site owners, and ONLY site owners to incorporate PHP code of their own into some of s2Member's configuration panels. For instance, see: s2Member -> General Options -> Login/Registration Design -> Footer HTML/PHP Code.
- SNAG-0107.png (13.38 KiB) Viewed 51 times
So, while the use of eval() CAN certainly introduce security issues, s2Member's use of eval() is limited to only those areas which process code introduced by the site owner, or by s2Member itself. s2Member will NOT eval() untrusted data ( i.e. data introduced by a user/browser/cookie/query string/etc ). I'm not aware of s2Member having any security issues in this regard, with respect to the eval() function.
On a Multisite Blog Farm installation, the use of eval() can be disabled completely, since you would have site owners with child Blogs on your Network. In cases such as those, the additional documentation that comes with a Multisite Network Support Package allows Network adminstrators to disable the use of eval() in areas of s2Member that allow site owners to introduce PHP code of their own.
That being said, I do NOT recommend disabling eval() in s2Member on a standard WordPress installation, or even on a typical Multisite Network installation. The only time that would be practical, is if you were running a "Blog Farm", where you would have untrusted site owners.
Definition of a Multisite Blog Farm:
If your Network is making it possible for "Members" of your Main Site, to create and/or manage Blogs (in any way), s2Member will consider your installation to be a Multisite Blog Farm. That being said, some site owners run a Multisite Network for the purpose of maintaining their own sites. The term Multisite Blog Farm does NOT apply to a Network that hosts multiple Child Blogs, all of which are operated by a single site owner and/or a single company. Again, a Multisite Blog Farm ( in the eyes of s2Member ), is any Network that is making it possible for "Members" of its Main Site, to create and/or manage Blogs; where one or more of these Child Blogs is being administered by a Customer ( e.g. if you offer both Membership and Blog creation ).
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/
Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here.
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/
Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here
-
Jason Caldwell - Lead Developer
- Posts: 4045
- Joined: May 3, 2010
- Location: Georgia / USA
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: Exabot [Bot], Yahoo [Bot] and 2 guests